Commentaires 0

Retranscription du document

Secure Biometric AuthenticationWith Improved AccuracyManuel Barbosa2,Thierry Brouard1,Stephane Cauchie1;3,and Sim~ao Melo De Sousa31Laboratoire Informatique de l'Universite Francois Rabelais de Toursstephane.cauchie@univ-tours.fr,2Departamento de Informatica,Universidade do Minhombb@di.uminho.pt3Departamento de Informatica,Universidade da Beira Interiordesousa@ubi.ptAbstract.We propose a new hybrid protocol for cryptographically se-cure biometric authentication.The main advantages of the proposed pro-tocol over previous solutions can be summarised as follows:(1) poten-tial for much better accuracy using dierent types of biometric signals,including behavioural ones;and (2) improved user privacy,since useridentities are not transmitted at any point in the protocol execution.The new protocol takes advantage of state-of-the-art identication clas-siers,which provide not only better accuracy,but also the possibilityto perform authentication without knowing who the user claims to be.Cryptographic security is based on the Paillier public key encryptionscheme.Keywords:Secure Biometric Authentication,Cryptography,Classier.1 IntroductionBiometric techniques endow a very appealing property to authentication mech-anisms:the user is the key,meaning there is no need to securely store secretidentication data.Presently,most applications of biometric authentication con-sist of closed self-contained systems,where all the stages in the authenticationprocess and usually all static biometric prole information underlying it,areexecuted and stored in a controlled and trusted environment.This paper ad-dresses the problem of implementing distributed biometric authentication sys-tems,where data acquisition and feature recognition are performed by separatesub-systems,which communicate over an insecure channel.This type of sce-nario may occur,for instance,if one intends to use biometric authentication toaccess privileged resources over the Internet.Distributed biometric authentica-tion requires hybrid protocols integrating cryptographic techniques and patternrecognition tools.Related work in this area has produced valid solutions froma cryptographic security point of view.However,these protocols can be seenas rudimentary from a pattern-recognition point of view.In fact,regardless ofthe security guarantees that so-called fuzzy cryptosystems provide,they presentgreat limitations on the accuracy that can be achieved,when compared to purelybiometric solutions resorting to more powerful pattern recognition techniques.In this paper,we propose a solution which overcomes this accuracy limitation.Our contribution is a protocol oering the accuracy of state-of-the-art patternrecognition classiers and strong cryptographic security.To achieve our goalswe follow an approach to hybrid authentication protocols proposed by Bringeret al.[1].In our solution we adapt and extend this approach to use a moreaccurate and stable set of models,or classiers,which are widely used in thepattern recognition community in settings where cryptographic security aspectsare not considered.Interestingly,the characteristics of these classiers allow us,not only to achieve better accuracy,but also to improve the degree of privacyprovided by the authentication system.This is possible because we move awayfrom authentication classiers and take advantage of an identication classier.An identication classier does not need to know who the user claims to be,in order to determine if she belongs to the set of valid users in the systemand determine her user identier.An additional contribution of this paper isto formalise the security models for the type of protocol introduced by Bringeret al.[1].We show that the original protocol is actually insecure and underthe original security model,although it can be easily xed.We also extend thesecurity model to account for eavesdroppers external to the system,and providea security argument that our solution is secure in this extended security model.The remaining of the paper is organized as follows.We rst summarise relatedwork in Section 2 and we introduce our notational framework for distributedbiometric authentication systems in Section 3.We propose our secure biometricauthentication protocol and security models in Section 4.In Section 5 we presenta concrete implementation based on the Support Vector Machine classier andthe Paillier public key encryption scheme,including the corresponding securityanalysis.Finally,we discuss our contributions in Section 6.2 Related WorkFuzzy extractors are a solution to secure biometric authentication put forwardby the cryptographic community [2].Here,the pattern recognition componentis based on error correction.A fuzzy extractor is dened by two algorithms.Thegeneration algorithm takes a user's biometric data w and derives secret random-ness r.To allow for robustness in reconstructing r,the generation algorithmalso produces public data pub.On its own,pub reveals no useful informationabout the biometric data or the secret randomness.The reconstruction algo-rithm permits recovering r given a suciently close measurement w0and pub.To use a fuzzy extractor for secure remote authentication,the server would store(pub;r) during the enrolment stage.When the user wants to authenticate,theserver provides the corresponding public information pub,so that it is possiblereconstruct r from a fresh reading w0.The user is authenticated once the serverconrms that r has been correctly reconstructed;for example,r can be used toderive a secret key.Aproblemwith this solution is that security is only guaranteed against eaves-droppers:the server must be authenticated and the public information transmit-ted reliably.Additionally,Boyen [3] later showed that,even in this scenario,itis not possible to guarantee that security is preserved if the same fuzzy extrac-tor is used to authenticate a user with multiple servers.An adversary mightput together public information and secrets leaked from some of the servers toimpersonate the user in another server.The same author proposed improvedsecurity models and constructions to solve this problem.Boyen et al.[4] lateraddressed a dierent problem which arises when the channel to the server is notauthenticated and an active adversary can change the value of pub.The originalfuzzy extractor denition and security model does not ensure that such an adver-sary is unable to persuade the user that it is the legitimate server.The authorspropose a robust fuzzy extractor that permits achieving mutual authenticationover an insecure channel.The protocol proposed by Bringer et al.[1] uses the Goldwasser-Micali en-cryption scheme,taking advantage of its homomorphic properties.The protocolperforms biometric classication using the Hamming distance between fresh bio-metric readings and stored biometric proles.User privacy protection is ensuredby hiding the association between biometric data and user identities.For this tobe possible one must distribute the server-side functionality:an authenticationservice knows the user's claimed identity and wants to verify it,a database ser-vice stores user biometric data in such a way that it cannot possibly determineto whom it belongs,and a matching service ensures that it is possible to au-thenticate users without making an association between their identity and theirbiometric prole.These servers are assumed to be honest-but-curious and,inparticular,they are assumed to follow the protocol and not to collude to breakits security.Authentication Accuracy In this paper we propose a protocol which improvesauthentication accuracy while ensuring strong cryptographic security.It is im-portant to support our claims from a pattern recognition accuracy perspective.In the following table we present experimental results found in literature,to com-pare the accuracy (Equal Error Rate1) of advanced pattern recognition classiers(Classier Error) with that of those adopted in existing hybrid authenticationprotocols,or so called fuzzy cryptosystems (Fuzzy Error).Biometric DataReferencesBit LengthFuzzy ErrorClassier ErrorKey stroke[5]/[6]1248%1.8%Voice[7]/[8]4620%5%Tactim[9]1615%1%Signature[10]/[11]4028%5%Face[12]/[13]1205%0.6%Fingerprint[14]/[15]12817%8%Iris[16]1405%5%1Percentage of recognition errors when the biometric system is adjusted in order toobtain the same false positive and false negative rates.Results are presented for both physiological (iris,face and ngerprint) and be-havioural (key stroke,voice,tactim,signature) biometric data.From the resultsin the table,one can conclude that advanced classiers consistently outperformsimple distance-based (fuzzy) classication techniques.However,this is most im-portant for behavioural biometry,where fuzzy techniques present signicantlyworse accuracy rates.An empirical explanation for this shortcoming is that fuzzypattern recognition components can deal with acquisition variability but not withthe user variability,which plays a major role in behavioral biometry.Froma pat-tern recognition point of view,advanced classiers are built on the assumptionthat two users may produce close measurements.Classication focuses on theboundaries between users,and some of them like the Support Vector Machine(SVM) classier [17],can optimally minimize the error risk.3 Biometric systemsIn this section we present a precise denition of a pattern recognition systemfor biometric authentication and identication,which we will later use in thedenition of our hybrid authentication protocol.We take a particular type ofbiometric parameter b 2 B,where B denotes the complete set of biometric pa-rameters.The basic tool associated with b is an adequate sensor,denoted by theapplication b:U!V where U is a set representing the universe of possibleusers and V represents a sensor-dependent space of biometric features (usuallyan n-tuple of real numbers).We will refer to the output of the sensor as a feature.2Consider a set of users U  U.The goal is to recover the pre-image of afeature b(u),for u 2 U,using prior knowledge of a users prole wU2 W,where W is a sensor-dependent set of possible users proles,and an inversionfunction called a classier.Usually a classier is a two-stage procedure:(1) thereis a pre-decision processing stage cl,which takes a feature and pre-establishedprole information and returns classication data such as condence intervals,distances,etc.;and (2) a decision stage D which makes the nal decision usingan appropriate criterion,for example a pre-dened threshold,majority rules,etc.Ideally,one expects that classication satises8u 2 U;D(cl(b(u);wU)) = u8u 2 U=U;D(cl(b(u);wU)) =?At this stage a distinction must be made between biometric authentication andbiometric identication systems.A system satisfying the previous predicate (ora close enough relaxation that is good enough for practical applications) for aset of users U such that jUj > 1 is called a biometric identication system.2In practice raw sensor outputs must be pre-processed using feature extraction beforeclassication can be performed.To be precise,we could denote the acquisition ofthe raw signal by a non deterministic application ab,and feature extraction by adeterministic application f.We would then have b= ab f.Systems satisfying these conditions for only a single user are called biometricauthentication systems.Note that it is possible to use a biometric authenticationsystemfor identication,e.g.by trying all possible users in a database.However,depending on the biometric parameter and sensor technology,the accuracy ofsuch a systemmay suer fromoverlaps in user proles.Fromthe point of view ofcryptographic protocols,this distinction is also important.In fact,all solutionswe have encountered in literature assume that we are dealing with a biometricauthentication system,which means that the user's claimed identity must betransmitted over the network.If we move to a biometric identication system,the authentication protocol can be implemented by transmitting only the user'sbiometric data.We will return to this issue in the next section.Setting-up and operating a biometric authentication systeminvolves two sep-arate procedures:a set-up stage called Enrolment,and the actual operation stagecalled Generalisation.We now describe these in more detail.Enrolment This is usually split into two steps:(1) the acquisition and featureextraction step,and (2) the learning step.The rst step constructs a referenceset of feature values b(u) (8u 2 U),called a training set.The learning stepuses the training set to construct the users'prole wU.Generalisation This is also split in two steps:(1) the acquisition and featureextraction step,and (2) the decision step.The former consists of collectinga feature v = b(unknown) for an unknown user.The decision step uses theclassier cl and prole data wto determine which user is unknown.Moreprecisely the decision check is fu 2 U;?g D(cl(v;wU)).In this context,we dene a pattern recognition system for biometric identica-tion  as follows.Denition 1.A pattern recognition system for biometric identication  is a5-tuple < b;U;b;D cl;wU>,where the tuple elements are as described above.Remark.We stress that the concept of prole wUusually adopted within thepattern recognition community constitutes,in the context of our work,a security-critical parameter.This is because it usually reveals private user information suchas a user-specic region in a sensor-dependent parameter space W.In particular,if this information is leaked,anyone can determine whether a feature belongs to aparticular user.The vulnerability detected in the protocol proposed by Bringer etal.is based on the fact that an attacker may recover a user prole froma protocoltrace.This means that it can perform classication itself,even thought it wouldnever be able to break the encryption scheme protecting the user features usedin an authentication run.4 Proposed Authentication ProtocolIn this section we propose a new authentication protocol based on the approachin [1].We take advantage of a biometric identication scheme implemented us-ing a more powerful pattern recognition technique in the form of a multi-classclassier to achieve improved accuracy and security properties.4.1 Participants and their rolesThe following diagram depicts the data ow between the dierent participantsin our protocol.SASD BVS1: aut h2: aut h3: cl ass4: scl ass5: dSer ver - si deCl i ent - si deThe server-side functionality is partitioned in three components to ensure thatno single entity can associate a user's identity with the biometric data beingcollected during authentication.The participants in the authentication protocolare the following:1.The Sensor (S) is the only client-side component.Following the approach in[1],we assume that the sensor is capable of capturing the user's biometricdata,extracting it into a binary string,and performing cryptographic oper-ations such as public key encryption.We also assume a liveness link betweenthe sensor and the server-side components,to provide condence that thebiometric data received on the server-side is from a present living person.2.The Authentication Service (AS) is responsible for communicating with theuser who wants to authenticate and organizing the entire server-side proce-dure.In a successful authentication the AS will obviously learn the user'sidentity,which means that it should learn nothing about the biometric databeing submitted.3.The Database Server (DB) securely stores the users'prole (wU) and itsjob is to execute the pre-decision part of classication (cl).Since the DB isaware of privileged biometric data,it should learn nothing about the user'sidentity,or even be able to correlate or trace authentication runs from agiven (unknown) user.4.The Verication Server (V S) completes the authentication process by takingthe output produced by the DB server and computing the nal decision (D)step.This implies that the V S possesses privileged information that allowsit to make a nal decision,and again that it should not be able to learnanything about the user's real identity,or even be able to correlate or traceauthentication runs from a given (unknown) user.4.2 Enrolment and system set-upIn this section we describe the procedures that must be carried out to prepare asystem using the proposed authentication protocol for normal operation.Theseinclude the data collection procedures associated with enrolment,the construc-tion of the static data sets assigned to each actor in the protocol,and the securityassumptions/requirements we impose on these elements.The output of the initialisation procedure are three sets of static data (ASdata,DBdataand V Sdata) which allow the dierent servers to carry out their roles:{ ASdataconsists of a list U = fID1;:::;IDjUjg of user identities IDi2 f0;1g.The index of the user in this list will be used as the application-specic useridentier uid 2 f1:::jUjg.{ DBdataconsists of biometric classication data (wU) for the set of valid users.This should permit computing pre-decision classication information (cl)over authentication requests,but should be totally anonymous for the DB.In particular,we require that the DB obtains information which permitsperforming pre-classication for the jUj system users consistently with theapplication-specic user identiers assigned by the AS.However,it shouldnot receive any information about the user identities themselves.{ V Sdataconsists of information which will allow the V S to obtain a verdictfrom obfuscated pre-decision classication information.The need for obfus-cation is justied by the apparently contradictory requirement that only theV S is capable of producing a decision verdict,but still should be unable tolearn the user's real identity,or even trace requests by the same user.We assume that some trusted authority is available to control the enrolmentprocedure,and ensure that the static data is assigned to the servers in a secureway:no server obtains any information concerning another server's static data,and no information is leaked to eavesdroppers external to the system.4.3 Authentication Protocol DenitionThe proposed authentication protocol is a ve-tuple of probabilistic polynomialtime algorithms that the dierent participants will execute.Each server-sideparticipant stores corresponding static information ASdata,DSdataand V Sdata.The algorithms are:Participant AlgorithmV S (params;kd) Gen(1)S auth S(vID;params)DB class Classify(params;auth;DBdata)AS (sclass;) Shue(params;class;ASdata)V S d Decide(sclass;params;kd;V Sdata)AS ID=? Identify(d;;ASdata)1.The key generation algorithm Gen is executed by the V S,which stores thesecret key kdsecurely,and publishes a set of public parameters params.2.On each authentication run,the sensor encrypts fresh biometric data vIDfrom a user with identity ID using algorithm S and the public parameters,and produces the authentication request auth.3.The AS receives the authentication request and passes it on to the DBfor pre-decision classication.This operation is represented by algorithmClassify which takes also public parameters and prole information DBdataand returns encrypted classication information class.4.The AS takes class and scrambles it in order to disassociate the decisionresult fromprevious authentication runs.This operation is represented by al-gorithm Shue which outputs scrambled data sclass and a de-scramblingkey  which the AS keeps to itself.5.The V S uses the secret key kdand sclass to perform the nal decisionstep and produces a verdict d.This operation is represented by algorithmDecide.6.Finally,the AS can recover the user's real identity,or a failure symbol,fromthe verdict d and the de-scrambling key  using algorithm Identify.The soundness condition for our protocol is that the server-side system asa whole,and the AS in particular,produces a correct decision on the user'sauthenticity,i.e.recognises whether a new feature belongs to a valid user,anddetermines the correct identity.Formally,for soundness we require that the fol-lowing probability yields a value suciently close to one for practical use as anauthentication protocol,for valid static data ASdata,DBdataand V Sdataresult-ing from a successful enrolment procedure,and for all fresh features vID:Pr266664(params;kd) Gen(1)auth S(vID;params)Identify(d;;ASdata) = rclass Classify(params;auth;DBdata)(sclass;) Shue(params;class;ASdata)d Decide(sclass;params;kd;V Sdata)377775:where r = ID when ID is in the valid set of users,and r =?otherwise.4.4 Security ModelIntuitively,the security requirements we want to impose are the following:{ Privacy None of the services (and no passive attacker observing commu-nications) gets enough information to reconstruct an identity/feature pair.More precisely,none of the services can distinguish whether a particularmeasurement belongs to a particular person.{ Untraceability Except for the authentication service,none of the otherservices (and no passive attacker observing communications) gets enoughinformation to recognize a previously authenticated user.More precisely,the database service and the matching service cannot distinguish whethertwo authentication requests belong to the same person.We assume that the servers are honest-but-curious,namely that they do notcollude and follow the protocol rules,but may try to use the information theyobtain to subvert the previous requirements.Formally,this translates into twosecurity models.Privacy:Feature Indistinguishability The three server-side components,aswell as any eavesdropper which is able to observe the message exchanges corre-sponding to a protocol execution,must be unable to distinguish between whichof two features belongs to a particular system user.We call this requirementfeature indistinguishability (fIND).We dene it using the following experiment,which takes as input a parameter adv 2 fAS;DB;V S;Eveg,and fresh readingsv0,from valid user ID 2 U,and v1from any user.ExpfIND(adv;v0;v1)(params;kd) Gen(1)auth S(v0;params)class Classify(params;auth;DBdata)(sclass;) Shue(params;class;ASdata)d Decide(sclass;kd;SVdata)r Identify(d;;ASdata)Return (v;viewadv)viewAS:= (auth;class;sclass;;d;r;ASdata;params)viewDB:= (auth;class;DBdata;params)viewV S:= (sclass;d;V Sdata;kd;params)viewEve:= (auth;class;sclass;d;params)We require that,for all ID 2 U and all adv 2 fAS;DB;V S;Eveg,the followingdistributions be computationally indistinguishable ():f(ID;ExpfIND=1(adv;v0;v1))g  f(ID;ExpfIND=0(adv;v0;v1))gWe dene advantage AdvfIND(adv) as (the absolute value of) the deviation from1=2 in the probability that the adversary guesses .Untraceability { User Indistinguishability The back-end server-side com-ponents,DB and V S,as well as any eavesdropper which is able to observethe message exchanges corresponding to a protocol execution,must be un-able to distinguish if two independent authentication runs correspond to thesame system user.We call this requirement user indistinguishability (uIND).We dene it using the following experiment,which takes as input a parameteradv 2 fDB;V S;Eveg,and two fresh readings v0and v1corresponding to validusers uid and uid0respectively.ExpuIND(adv;v0;v1)(params;kd) Gen(1)auth S(v;params)class Classify(params;auth;DBdata)(sclass;) Shue(params;class;ASdata)d Decide(sclass;kd;SVdata)r Identify(d;;ASdata)Return viewadvwhere the dierent views are dened as above.We require that,for all valid users with user identiers uid and uid0,and alladv 2 fDB;V S;Eveg,the following distributions be computationally indistin-guishable ():f(uid;uid0;ExpuIND=1(adv;v0;v1))g  f(uid;uid0;ExpuIND=0(adv;v0;v1))gAgain,we dene advantage AdvuIND(adv) as (the absolute value of) the deviationfrom 1=2 in the probability that the adversary guesses .5 A Concrete Implementation5.1 The SVM ClassierWe consider a jUj-class identication classier called the Support Vector Machine(SVM) [17] and provide a short description of its operation.The basic SVM isa mono class authentication classier3.Extension to U classes follows the one-against-all strategy:for each user u 2 U,a mono classier is trained using theremaining users (U=u) as the rejected class.For each user,the learning stage ofthe SVM determines both an outer and an inner hyperplane in a k-dimensionalfeatures space.Said hyperplanes are expressed as a linear combination of Sknown samples (so called support vectors SVi;j2 VSVM;i = 1:::S;j = 1:::jUj)weighted with i;j2 N coecients.Formally,we haveVSVM= Nkand WSVM= (NV)SjUjDuring authentication,the SVM classier evaluates the distance of the freshfeature v to these hyperplanes using a scalar product.To account for the fact thatthe user prole regions may not be linearly separable,the SVM may computethe scalar product in a higher dimension space.For this,the SVMclassier usesa kernel function K to project the data into the higher dimension space andcompute the scalar product in this space in a single step.The advantage is thatthe computational cost is reduced when compared to a basic projection followedby the scalar product.The classier function is thereforeclSVM:VSVMWSVM!NjUjclSVM(v;wjUj):= (cl(1)SVM(v;wjUj);:::;cl(jUj)SVM(v;wjUj))where wjUjcontains (i;j;SVi;j)] for 1  i  S and 1  j  jUj andcl(j)SVM(v;wjUj):=SXi=1i;jK(v;SVi;j):In this paper,and to simplify the presentation,we will use the particular casewhere K(a;b) refers to the scalar product between a and b in the initial space:K(a;b) =Pkl=1albl.The decision is calculated by nding the index of the maximum positivescalar contained in the vector clSVM(v;w).If no positive scalar exists,then thereject symbol is returned (?):DSVM(clSVM(v;w)):=8>><>>:d argmaxjUjj=1(cl(j)SVM(v;w))If cl(d)SVM(v;w) > 0Then return dElse return?3A classier used in an authentication context\Am I who I claimed to be?"5.2 Algorithm ImplementationsWe refer the reader to Appendix A for a description of the Paillier cryptosystem.The concrete implementations we propose for the algorithms composing ourauthentication protocol are the following:{ Gen(1)!(params;kd).The generation primitive simply uses the keygeneration algorithm for the Paillier cryptosystem to obtain (ke;kd),setsparams keand returns (params;kd).{ S(v)!auth.This algorithm takes as input a fresh feature for an unknownuser.Recall that the feature space for the SVM is VSVM= Nk,but we canlook at the feature as v:= (v1;:::;vk) 2 Zkn.Encryption is carried out onecomponent at a time and the algorithm returns:auth (EPaillier(v1;ke);:::;EPaillier(vk;ke)){ Classify(auth;DBdata;params)!class.This algorithm uses the homo-morphic properties of the Paillier encryption scheme to compute pre-decisionSVMclassication values without ever decrypting the features in auth.Moreprecisely,the algorithm takes the prole data wjUjin DBdataand calculatesfor 1  j  jUjcj=SYi=1K(auth;SVi;j)i;j= EPaillier(SXi=1i;jK(v;SVi;j);params)where,using []lto denote the lthcomponent in a tuple,Kis dened byK(auth;SVi;j):=kYl=1[authj][SVi;j]llTo prevent the AS fromperforming an exhaustive search of the prole space,the DB also re-randomizes the encryptions by calculating:classj= (cjrnj) mod n2The algorithm returns class = (class1;:::;classjUj).{ Shue(class)!(sclass;).This algorithm generates a fresh permuta-tion :f1;:::;jUjg!f1;:::;jUjg,re-randomizes all the ciphertext compo-nents in class and returns the permutated re-randomized vector as sclass.More precisely,we have sclass = (sclass1;:::;sclassjUj) wheresclassj= (class(j)rnj) mod n2{ Decide(sclass;kd;V Sdata)!d.This algorithm decrypts the componentsin sclass and performs classication as described for the SVM classier.The result d is the index in the input vector corresponding to the largestpositive scaler,or?if no positive scalar exists.{ Identify(d;;ASdata)!ID.For authentication runs where d 6=?,thisalgorithm simply nds uid such thatuid = 1(d)and returns the associated identity ID.Otherwise it returns?.5.3 Security AnalysisIn Appendices B and C we prove two theorems,which capture the securityproperties of the proposed protocol.Theorem 1.The proposed protocol ensures feature privacy.More precisely,anyPPT adversary has negligible advantage in distinguishing the distributions asso-ciated with ExpfIND.Theorem 2.The proposed protocol ensures user untraceability.More precisely,any PPT adversary has negligible advantage in distinguishing the distributionsassociated with ExpuIND.Remark:On the (in)security of the Bringer et al.protocol The fIND model wepropose is a more formal version of Security Requirement 2 proposed by Bringeret al.[1] for their authentication protocol.The security argument presented forthis protocol describes a reduction to the semantic security of the Goldwasser-Micali cryptosystem.However,the argument fails to cover a simple attack by theAS.The attack is possible because the interaction between the AS server andthe DB server does not include a re-randomization of the resulting ciphertexts.This means that it may be possible for the AS to recover the user prole datathat the DB server has used in the calculations.After recovering a biometricprole,the AS server is able to determine on its own which features belong toa user,without even executing the protocol.More precisely,and referring tothe notation in [1],the AS calculates (E(t1;pk);:::;E(tN;pk)),where N is thenumber of users,tj= 0 for all indexes except j = i for which tj= 1,and i is theindex of the user to be authenticated.The DB server receives these ciphertextsand calculates E(bi;k;pk) =QNj=1E(tj;pk)bj;kmod n,for 1  k  M,where(bi;1;:::;bi;M) is the biometric prole corresponding to user i.On receivingE(bi;k;pk),the AS can try to work out whether bi;kis 1 or 0.To do this,it triesto calculate E(bi;k;pk)=Qj2JE(tj;pk) mod n,for all subsets J  f1:::Ng n i,where E(tj;pk) are exactly the same as those passed originally to the DB.Ifin these calculations the AS obtains 1,then it knows bi;k= 0;if it obtainsE(ti;pk),then it knows bi;k= 1.The feasibility of this attack depends on thenumber of users N:in fact its complexity is exponential in N,which means itmay be infeasible for a very large N.However,a simple patch to the protocol,preventing the attack altogether even for small N,is to ensure that the DB serverre-randomises ciphertexts after applying the homomorphic transformations.Weemphasise that the security reduction presented in this paper for the proposedprotocol explicitly precludes this type of attack.6 Discussion and ConclusionWe have presented a hybrid protocol for secure biometric authentication whichpermits adopting state-of-the art pattern recognition classiers to improve overthe authentication accuracy of existing solutions.Our protocol follows the ap-proach of Bringer et al.[1],adopting the point of view that biometric informationmay be stored in public servers,as long as it is guaranteed that it remains anony-mous if security is breached.To allow for the use of more powerful classicationtechniques,namely the SVM classier,we use the Pailler public key encryptionscheme,taking advantage of its homomorphic properties.The main advantages of the proposed protocol over previous solutions canbe summarised as follows:{ Potential for much better accuracy using dierent types of biometric signals,including behavioural ones.{ Improved user privacy,since user identities are not transmitted at any pointin the protocol execution.This is possible because the classiers we adoptare identication classiers which do not need to know who the user claimsto be in order to perform authentication and recover the user identity.Security of the proposed protocol has been formalised in two security mod-els:feature indistinguishability and user indistinguishability.These are extendedversions of the models proposed in [1],where we also account for eavesdroppersexternal to the system.We provide a reduction relating the security of our au-thentication protocol with the security of the Paillier encryption scheme.Wealso describe a simple attack against the Bringer et al.protocol,and show howit can be easily repaired.Acknowledgements The authors would like to thank Michel Abdalla for read-ing and commenting on an earlier version of this paper.References1.Bringer,J.,Chabanne,H.,Izabachene,M.,Pointcheval,D.,Tang,Q.,Zimmer,S.:An application of the goldwasser-micali cryptosystem to biometric authentication.In Pieprzyk,J.,Ghodosi,H.,Dawson,E.,eds.:ACISP.Volume 4586 of LectureNotes in Computer Science.,Springer (2007) 96{1062.Dodis,Y.,Ostrovsky,R.,Reyzin,L.,Smith,A.:Fuzzy extractors:How to generatestrong keys from biometrics and other noisy data.Cryptology ePrint Archive,Report 2003/235 (2003) http://eprint.iacr.org/.3.Boyen,X.:Reusable cryptographic fuzzy extractors.In:CCS'04:Proceedings ofthe 11th ACM conference on Computer and communications security,New York,NY,USA,ACM (2004) 82{914.Boyen,X.,Dodis,Y.,Katz,J.,Ostrovsky,R.,Smith,A.:Secure remote authen-tication using biometric data.In:Advances in Cryptology|EUROCRYPT 2005.Volume 3494 of Lecture Notes in Computer Science.,Berlin:Springer-Verlag (2005)147{163 Available at http://www.cs.stanford.edu/~xb/eurocrypt05b/.5.Monrose,F.,Reiter,M.K.,Wetzel,S.:Password hardening based on keystrokedynamics.In:CCS'99:Proceedings of the 6th ACM conference on Computer andcommunications security,New York,NY,USA,ACM (1999) 73{826.Hocquet,S.,Ramel,J.Y.,Cardot,H.:Fusion of methods for keystroke dynamicauthentication.Automatic Identication Advanced Technologies,2005.FourthIEEE Workshop on (17-18 Oct.2005) 224{2297.Monrose,F.,Reiter,M.,Li,Q.,Wetzel,S.:Cryptographic key generation fromvoice.Security and Privacy,2001.S&P 2001.Proceedings.2001 IEEE Symposiumon (2001) 202{2138.Yegnanarayana,B.,Prasanna,S.,Zachariah,J.,Gupta,C.:Combining evidencefrom source,suprasegmental and spectral features for a xed-text speaker verica-tion system.Speech and Audio Processing,IEEE Transactions on 13 (July 2005)575{5829.Cauchie,S.,Brouard,T.,Cardot,H.:From features extraction to strong securityin mobile environment:A new hybrid system.In Meersman,R.,Tari,Z.,Herrero,P.,eds.:OTMWorkshops (1).Volume 4277 of Lecture Notes in Computer Science.,Springer (2006) 489{49810.Feng,H.,Choong,W.C.:Private key generation from on-line handwritten signa-tures.Inf.Manag.Comput.Security 10 (2002) 159{16411.Fuentes,M.,Garcia-Salicetti,S.,Dorizzi,B.:On-line signature verication:Fusionof a hidden markov model and a neural network via a support vector machine.iwfhr 00 (2002) 25312.Goh,A.,Ling,D.N.C.:Computation of cryptographic keys fromface biometrics.InLioy,A.,Mazzocchi,D.,eds.:Communications and Multimedia Security.Volume2828 of Lecture Notes in Computer Science.,Springer (2003) 1{1313.Yan,T.T.H.:Object recognition using fractal neighbor distance:eventual conver-gence and recognition rates.Pattern Recognition,2000.Proceedings.15th Inter-national Conference on 2 (2000) 781{784 vol.214.Uludag,U.A.J.:Securing ngerprint template:Fuzzy vault with helper data.Com-puter Vision and Pattern Recognition Workshop,2006 Conference on (17-22 June2006) 163{16315.Guo,H.:Ahidden markov model ngerprint matching approach.Machine Learningand Cybernetics,2005.Proceedings of 2005 International Conference on 8 (18-21Aug.2005) 5055{5059 Vol.816.Hao,F.,Anderson,R.,Daugman,J.:Combining crypto with biometrics eectively.IEEE Transactions on Computers 55 (2006) 1081{108817.Crammer,K.,Singer,Y.:On the algorithmic implementation of multiclass kernel-based vector machines.Journal of Machine Learning Research 2 (2001) 265{29218.Paillier,P.:Public-key cryptosystems based on composite degree residuosityclasses.In:EUROCRYPT.(1999) 223{23819.Paillier,P.,Pointcheval,D.:Ecient public-key cryptosystems provably secureagainst active adversaries.In:ASIACRYPT.(1999) 165{17920.Bellare,M.,Boldyreva,A.,Micali,S.:Public-key encryption in a multi-user setting:Security proofs and improvements.In:EUROCRYPT.(2000) 259{274Appendix A:Paillier Public Key Encryption SchemeThe Paillier public key encryption scheme [18,19] can be described as follows:{ Key generation:GPaillier(1) = (kd;ke).The PPT key generation algo-rithm takes a security parameter 1as input,and randomly generates twolarge prime numbers p and q,setting n = pq and  = lcm(p 1;q 1).Thealgorithm then randomly selects g 2 Zn2,such that n divides the order of g.This can be ensured by checking thatgcd(L(gmod n2);n) = 1,where L(u) =u 1nwhich in turn implies that the following multiplicative inverse exists: = (L(gmod n2))1mod nThe public key is then ke= (n;g) and the secret key is kd= (;).{ Encryption:EPaillier(m;ke).The PPT encryption algorithm takes a mes-sage m2 Znand the public key ke= (n;g),generates r uniformly at randomfrom Znand outputs a ciphertext c 2 Zn2,where c = gm rnmod n2.{ Decryption:DPaillier(c;kd).The deterministic decryption algorithm takesa ciphertext c and the secret key and outputs the plaintext m,which isrecovered as m= L(cmod n2)   mod n.It has been shown [19] that,under the composite residuosity assumption,the Paillier cryptosystem provides semantic security against chosen-plaintextattacks (IND-CPA).In other words,any PPT adversary A has only a negligibleadvantage in the following game against the Paillier cryptosystem:ExpINDCPAPaillier(A)(kd;ke) GPaillier(1)(m0;m1;s) A1(ke) f0;1gc EPaillier(m)0A2(c;s)return 0where the attacker's advantage AdvINDCPAPaillieris dened as:AdvINDCPAPaillier= j Pr[ExpINDCPAPaillier= 1j = 1] Pr[ExpINDCPAPaillier= 1j = 0]jIn our scheme we will be using the Paillier cryptosystemto encrypt biometricfeatures represented as short sequences of integer numbers.Encryption will becomponent-wise,where we assume that each integer component in the feature isin a range suitable for direct encoding into the message space4.For this reasonwe require a generalisation of the IND-CPA property allowing the adversaryto make a polynomial number n of queries to a Left-or-Right challenge oracle.We call this notion n-IND-CPA and emphasize that the security of the Paillierencryption scheme in this setting is implied by its semantic security [20].We will also take advantage of the following homomorphic properties of thePaillier encryption scheme:EPaillier(a;ke)EPaillier(b;ke) = EPaillier(a +b;ke)EPaillier(a;ke)b= EPaillier(ab;ke)The aditive property also provides a method to re-randomize a given Pailliercryptosystem which we will use:(EPaillier(a;ke;r0)  rn) mod n2= EPaillier(a;ke;r0r):4In practice,SVM features can be represented using integers in the range 100 to100,which can be easily encoded into Zn.Appendix B:Proof of Theorem 1The proof is divided in four claims,corresponding to the dierent values thatadv can take.Claim 1:f(ID;ExpfIND=1(AS;v0;v1))g  f(ID;ExpfIND=0(AS;v0;v1))g.To prove thisclaim we argue that any distinguisher with non-negligible advantage can beused to break the security of the Paillier cryptosystem.For this we constructa sequence of three games,where the rst corresponds to distinguishing thedistributions associated with ExpfIND.The second game is identical to the originalone,with the caveat that instead of encrypting v0,the experiment now encryptsa random value in the feature space v00.We claim that the advantage of anyadversary in distinguishing the distributions associated with this newexperimentmust be negligibly dierent from that in the original game.To show this webuild a distinguisher D1which attacks the k-IND-CPA security of the Pailliercryptosystem,where k is the length of the feature vector v,given any adversarycontradicting the previous claim.D1works as follows:{ D1receives the Paillier challenge public key and uses it as params.{ D1sets up a make-believe authentication system with a set of legitimateusers U,generates one feature v0for a particular user ID,plus an additionalfeature v1for an arbitrary user,and a random value in the feature space v00.{ D1passes features v0and v00to the k-IND-CPA challenge oracle,obtaining acomponent-wise encryption of one of these features,and takes this encryptionas auth.{ D1then simulates the protocol trace for AS by running the Classify andShue algorithms.Since D1does not know the secret key associated withthe challenge public key,it simply doesn't run Decide and Identify,takingd and r corresponding to ID as the obvious result.Note that this is consis-tent with the feature indistinguishability security game.The protocol tracegenerated for the AS is thereforeviewAS= (auth;class;sclass;;d;r;ASdata;params){ D1tosses a coin  and passes f(ID;(v;viewAS))g to AS.{ Eventually,AS will return its guess 0,and D1returns b = 1 if A's guess iscorrect and b = 0 otherwise.Note that if the k-IND-CPAchallenge encrypts v0(call this event E),then ASis run according to the correct rules of ExpfINDand therefore game 1.Conversely,if it encrypts v00then the adversary is run under the rules of game 2.Denotingby Pr[Si]the probability of success in game i,we have:jPr[S1] Pr[S2]j = jPr[0= jE] Pr[0= j:E]j = AdvkINDCPAPaillier(D1)To bound the probability that the AS can distinguishing the distributions asso-ciated with game 2 we observe that the protocol trace itself contains no infor-mation about v0or v1.Hence,any advantage in distinguishing the features canonly be obtained by the AS by recovering biometric prole information from theprotocol trace i.e.attacking DBdata.To ensure that this is not possible,we introduce game 3,where DBdataisreplaced by a randomvalue in the prole space.It is clear that under the rules ofgame 3,and since no information is provided to the AS regarding the biometricsystem at all,it can have no advantage in guessing ,i.e.Pr[S3] = 1=2.To complete the proof,we show that any adversary whose behaviour changesnon-negligibly from game 2 to game 3 can be used to attack the jUj-IND-CPAsecurity of the Paillier encryption scheme.For this,we build a distinguisher D2which works as follows:{ D2receives the Paillier challenge public key and uses it as params.{ D2sets up a make-believe authentication system with a set of legitimateusers U,generates one feature v0for a particular user ID,plus an additionalfeature v1for an arbitrary user,and a random value in the feature space v00.{ D2(component-wise) encrypts v00of appropriate size with the challenge pub-lic key and calls this auth.{ D2then uses DBdatato calculate the cleartext versions of pre-classicationresults corresponding to v00(call these scores s = (s1;:::;sjUj)).{ D2then generates an alternative version of DBdataby selecting a ran-dom value in the prole space,and calculates the cleartext versions of pre-classication results corresponding to v00(call these scores r = (r1;:::;rjUj))under this arbitrary pre-classication system.{ D2then uses the jUj-IND-CPAchallenge oracle to construct class by takingclassjas the answer to a query (sj;rj).{ D2then executes Shue to obtain sclass and sets d and r to the valuescorresponding to ID.The protocol trace generated for the AS is thereforeviewAS= (auth;class;sclass;;d;r;ASdata;params){ D2tosses a coin  and passes f(ID;(v;viewAS))g to AS.{ Eventually,AS will return its guess 0,and D2returns b = 1 if A's guess iscorrect and b = 0 otherwise.Clearly,D2interpolates between games 2 and 3 depending on the hidden bit inthe Left-or-Right challenge oracle,and we have:jPr[S2] Pr[S3]j = AdvjUjINDCPAPaillier(D2)Finally,putting the previous results together,we haveAdvfIND(AS)  AdvkINDCPAPaillier(D1) +AdvjUjINDCPAPaillier(D2) Similarly to the arguments in [1],the remaining claims follow directly fromthe fact that the adversary,in each case,has no information about user identities.Claim 2:f(ID;ExpfIND=1(DB;v0;v1))g  f(ID;ExpfIND=0(DB;v0;v1))g.Claim 3:f(ID;ExpfIND=1(V S;v0;v1))g  f(ID;ExpfIND=0(V S;v0;v1))g.Claim 4:f(ID;ExpfIND=1(Eve;v0;v1))g  f(ID;ExpfIND=0(Eve;v0;v1))g.Appendix C:Proof of Theorem 2The proof is divided in three claims,corresponding to the dierent values thatadv can take.Claim 1:f(uid;uid0;ExpuIND=1(DB;v0;v1))g  f(uid;uid0;ExpuIND=0(DB;v0;v1))g.The DB server shares with the AS server the notion of user identier.However,it has no access to user features or decision results at any point,so the only meansit would have to achieve user traceability would be to break the security of theunderlying encryption scheme.More formally,we can construct a reduction tothe k-IND-CPA security of the Paillier encryption scheme,where k is as before,by describing an algorithmB that attacks the k-IND-CPAsecurity of the Pailliercryptosystem given an adversary which contradicts the previous claim:{ B receives the Paillier challenge public key and uses it as params.{ B sets up a make-believe authentication systemwith a set of legitimate usersU and generates valid feature/user identier pairs (v0;uid) and (v1;uid0).{ B passes (v0;v1) to the k-IND-CPAchallenge oracle,obtaining a component-wise encryption of one of these features,and takes this encryption as auth.{ B then simulates the protocol trace for DB by running the Classify algo-rithm.The protocol trace generated for the DB is thereforeviewDB= (auth;class;DBdata;params){ B passes (uid;uid0;viewDB) to DB.{ Eventually,DB will return its guess 0,and B simply returns this as its ownguess of which feature is encrypted in the k-IND-CPA challenge.Note that the way in which B is constructed directly transforms any advantagein A guessing  into an advantage in guessing the k-IND-CPA challenge bit.More precisely,and taking into account our denitions of advantage:AdvuIND(DB) = 2AdvkINDCPAPaillier(B)Claim 2:f(uid;uid0;ExpuIND=1(V S;v0;v1))g  f(uid;uid0;ExpuIND=0(V S;v0;v1))g.The V S is unable to trace user authentication runs due to the fact that a freshindependent permutation  is generated each time the service is called.In fact,in the information-theoretical sense V S's view leaks nothing about user identi-ers:the V S receives no information about user identiers in its static data,andsuccessive decision results produce indexes d are independent and uniformly inde-pendently distributed,due to the action of the random permutation in Shue.Claim 3:f(uid;uid0;ExpuIND=1(Eve;v0;v1))g  f(uid;uid0;ExpuIND=0(Eve;v0;v1))g.Eavesdroppers cannot trace user requests because they cannot correlate theephemeral index d associated with sclass with the static user identier in-dexes associated with class.This is ensured by re-randomizing the ciphertextscontained in these protocol messages.Hence,without breaking the security ofthe Paillier encryption scheme,eavesdroppers can have no advantage in tracinguser requests.More formally,we argue that any distinguisher which contradicts the claimcan be used to break the security of the Paillier cryptosystem.For this we con-struct a sequence of two games,where the rst corresponds to distinguishingthe distributions associated with ExpuIND.The second game is identical to theoriginal one,with the exception that the value of d,the result of Decide,isselected uniformly at random.We argue that the advantage of any adversaryunder the rules of this slightly altered security game must be negligibly dierentfromits advantage in the original game.We support this argument by presentinga distinguisher D which is able to translate A's advantage in detecting this slightchange of rules into an advantage in attacking the jUj-IND-CPA security of thePaillier cryptosystem:{ D receives the Paillier challenge public key and uses it as params.{ D sets up a make-believe authentication systemwith a set of legitimate usersU and generates valid feature/user identier pairs (v0;uid) and (v1;uid0).{ D ips a bit  and (component-wise) encrypts vwith the challenge publickey and calls this auth.{ D then uses the DBdatato calculate the cleartext versions of the pre-classication results corresponding to v(we call these scores (s1;:::;sjUj))and encrypts themwith the challenge public key to obtain a simulated class.{ D generates two random permutations  and 0compatible with possibleruns of the authentication system,{ Dthen constructs the simulated sclass by calling the external Left-or-Rightoracle with ((sj);0(sj)) for each component sclassj.{ D then nalises the protocol trace for Eve by taking d = (uid) if  = 0 ord = (uid0) if  = 1.The protocol trace generated for the Eve is thereforeviewEve= (auth;class;sclass;d;params){ D passes (uid;uid0;viewEve) to Eve.{ Eventually,Eve will return its guess 0,and D returns 1 if Eve's guess iscorrect,and 0 otherwise.Note that D perfectly simulates a protocol run under the rules of geme 1 using ,if the Left-or-Right oracle is encrypting the left-hand messages (call this eventE).Conversely,if the oracle is encrypting the right-hand messages,then theprotocol run is using 0.However,since the value of d is calculated using ,itwill be independent and uniformly distributed under Eve's view,which meansthat D is running the adversary under the rules of game 2.Hence,any dierencein the adversary's behaviour when run in games 1 or 2 is translated by D into anadvantage in attacking the jUj-IND-CPA security of the Paillier cryptosystem.Denoting by Pr[Si]the probability of success in game i,we have:jPr[S1] Pr[S2]j = jPr[0= jE] Pr[0= j:E]j = AdvjUjINDCPAPaillier(D)To bound the probability of success of an adversary in game 2,we present analgorithm B which uses any attacker with non-negligible advantage in game 2to break the k-IND-CPA security of the Paillier cryptosystem:{ B receives the Paillier challenge public key and uses it as params.{ B sets up a make-believe authentication systemwith a set of legitimate usersU and generates valid feature/user identier pairs (v0;uid) and (v1;uid0).{ B passes (v0;v1) to the k-IND-CPAchallenge oracle,obtaining a component-wise encryption of one of these features.We take this encryption as auth.{ B then simulates the protocol trace for Eve by running the Classify andShue algorithms.Since B does not know the secret key associated withthe challenge public key,it simply doesn't run Decide taking a random das the result.The protocol trace generated for the Eve is thereforeviewEve= (auth;class;sclass;d;params){ B passes (uid;uid0;viewEve) to Eve.{ Eventually,Eve will return its guess 0,and B simply returns this as its ownguess of which feature is encrypted in the k-IND-CPA challenge.Putting together the result relating games 1 and 2 with the fact that Bperfectly simulates the second game,we have:AdvuIND(Eve)  AdvjUjINDCPAPaillier(D) +1=2AdvkINDCPAPaillier(B) 